Oracle HTTP server is a very good web tier for serving applications as a front end, reverse proxy, load balancing etc and is similar to Apache with some customized functionalities added by Oracle as this is Oracle’s proprietary software.
to secure the OHS, we can block unwanted call methods by allowing only the required one:
Deny from all
CSS Vulnerability block:
FileETag None
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Oracle HTTP Server 12.1.2 version, reference taken from the oracle website:
bind the process to the privilleged ports like 80, 443:
- create a temp file as the user who installed the ohs:- echo `id -ng`: bind > /tmp/cap.ora
- ORACLE_HOME/oracle_common/bin/hasbind file we have to change permission with root privileggesChange ownership of the file to root:chown root $ORACLE_HOME/oracle_common/bin/hasbind
Change the permissions on the file as follows:chmod 4755 $ORACLE_HOME/oracle_common/bin/hasbind
Generate the /etc/cap.ora file by performing the following steps:If /etc/cap.ora does not exist, copy the temporary cap.ora file you created in step 1 to the /etc/ directory:cp /tmp/cap.ora /etc/cap.ora
If /etc/cap.ora does exist, append the contents of the temporary file you created in step 1 to the existing /etc/cap.ora file:cat /tmp/cap.ora >> /etc/cap.ora
Change the permissions on the /etc/cap.ora file as follows:chmod 644 /etc/cap.ora
Change ownership of the file to root:chown root /etc/cap.ora - now start your instance
Start with root on OHS 12.2.1.3.0
Update the $ORACLE_HOME/ohs/bin/launch with following steps, you would need root or super user for this action:
Change ownership of the file to root:
chown root $ORACLE_HOME/ohs/bin/launch
Change the permissions on the file as follows:
chmod 4750 $ORACLE_HOME/ohs/bin/launch
Only above step require the root priviilles
OHS – creating certificate for multiple dns aliases –
- create a jks keystore
- create a csr
- once certificates are received from the CA, import all the certificate, first import the root certificates then user certificate
- now create an empty wallet with nologin
- import jks into the new created wallet
/PATH/Middleware/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./wallet2 -pwd “passowrd” -keystore fqdn.jks
-jkspwd “passwordforkeystore”
OHS – Create second instance on 12.2.1.3.0 stand alone instance:
stop ohs1
stop NM
connect to wlst offline and apply following commands –
$ORACLE_HOME/oracle_common/common/bin/wlst.sh
with in wlst apply following commands:
readDomain(‘/appl/app/oracle/product/Middleware/user_projects/domains/OHS_domain’)
cd(‘/’)
create(‘ohs2’, ‘SystemComponent’)
cd(‘/SystemComponent/ohs2’)
cmo.setComponentType(‘OHS’)
set(‘Machine’, ‘localmachine’)
cd(‘/OHS/ohs2’)
cmo.setAdminHost(‘127.0.0.1’)
cmo.setAdminPort(‘7788’)
cmo.setListenAddress(”)
cmo.setListenPort(‘7725’)
cmo.setSSLListenPort(‘4425’)
cmo.setServerName(‘http://fqdnmmmm:7725’)
updateDomain()
exit()
now start both ohs1 and ohs2 after starting the NM.
Worth reading it: – https://docs.oracle.com/middleware/12212/lcm/ASADM/GUID-F62D422F-3D56-4E80-BD60-0C266C57F5EA.htm#ASADM-GUID-45A23B1C-5C15-45E3-BF32-3B9E46A965AE
adding a cert request to oracle wallet: –
orapki wallet add -wallet wallet_location -dn user_dn -keysize certificate_key_size -addext_ski -addext_ku extension_key_usage -addext_basic_cons CA -pathLen number -addext_san DNS Three steps approach to create a wallet and request the certificate: -------------------------------------------------------------------
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./wallet2 -auto_login
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet ./wallet2 -dn ‘CN=dev.techs.com, OU=Internal Services, O=techs, ST=Nalagarh, C=IN’ -keysize 2048 -pwd Password -addext_san DNS:dev2.techs.com,DNS:dev3.techs.com
$ORACLE_HOME/Middleware/oracle_common/bin/orapki wallet export -wallet ./wallet2 -dn ‘CN=dev.techs.com, OU=Internal Services, O=techs, ST=Nalagarh, C=IN’ -request ./dev.techs.com.csr -pwd Welcome123
worth reading it —-
https://docs.oracle.com/middleware/12213/webtier/administer-ohs/workwith.htm#HSADM12094
———————————————————————————–
OHS12c – multiple sub-domains setup
To achieve this I used multi VH distribution with separated ssl cert into a segregated wallet.
earlier I tried to achieve this with san certs but oracle forms (11g) created an issue as environment file was not being called and that is the expected behavior from the RP rules as it always read from the top rule and ignore all other rules within the single VH.
One more fact noticed with OHS is that we cannot use multiple ssl on same VH or even on multiple VH pointing to different ssl with different wallets. To have separate SSL on same OHS instance either we need separate IPs or we need separate ports. Same is applicable with multi instance OHSs setup.
Also if we use multiple hosts with multiple ssl wallets, for single instance it will always consider the first wallet and ignore the certificates in the other wallets in the other VHs
Verify your website’s SSL configuration:
on your linux machine or on your windows machine if openssl is installed, use following command:
openssl s_client -connect secure-labs.techsteppers.com:443 -tls1_2
————————————————————————————-
OHS SSL Setup on 12.2.1.3.0 – Collocated OHS with Oracle Forms and Reports
————————————————————————————-
Followed the oracle note – (Doc ID 2124504.1)
i missed the weblogic level trust import that caused the issue, once i imported the trusted certs into trust stripe, i was able to Export Keystore to Wallet.
Generic steps followed:-
create a stripe from weblogic domain by going into the security -- keystore
create a keystore from ohs---security---keystore
make sure you create a keystore as policy
--------
now click on newly created keystore...manage....generate keypair
slect the new keypainr and create a csr from it
-----
once certifcate is recieved
-----
goto ohs---security----keystore----select the keystote from which csr was created and click on manage
import the trusted certificates first
----
now import the trusted certificates into weblogic domain
security---keystore, expand the system stripe and slecet trust keystore
import all trusted certificates into TRUST keystore
example snip below:
----
Now import the User certificate into the ohs---security---keystore...into the keystore from where you created the csr
----
next step is to export keystore to wallet
again goto ohs---security---keystore...manage and export to wallet - 
Note: on OHS12C, you need to get the lock and edit session from em console and once certificate is exported, do not forget to save the changes of lock and edit session.
----
Now next step is to enable ssl
goto ohs--adminstration--virtual hosts
sleect name --- configure --- ssl configuration
click check box enable ssl
in server wallet name select the wallet path click ok, restart ohs
Now trouble to get the contxt working for /forms, /console, /em, /ords etc
———————————————————–
Scenario to Implement the multi domains
———————————————————–
machine-srv-01
domains 01 OHS collocated
MN-1
MN-2
MN-3
domains 02
MN-1
MN-2
MN-3
domains 03
MN-1
MN-2
MN-3
COMMON ERRORs and ISSUES with OHS
OHS/Apache - HTTP 403 - forbidden error message
DocumentRoot "/techslabs/monitoring"
ServerName techslabs.techsteppers.com
ErrorLog "${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/techslabs.techsteppers.com-error_log"
CustomLog "${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/techslabs.techsteppers.com-access_log" common
<Directory "/techslabs/monitoring">
Options Indexes MultiViews
AllowOverride None
Require all granted </Directory>
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
This error occures of your web server is not available or backend resource has access issues, commonly seen in reverse proxy setups where backend servers are not available. As you pass whole traffic to backend, this error is expeted.
To Fix this you have to start the backend application or if its a webtier then start it
OHS – set a redirect rule –
##RewriteEngine on
##RewriteRule “/devtech” “https://www.techsteppers.com/devtech2/” [R]
Below syntax didn’t work
##Redirect “/devtech1” “/devtech2”
##
## Alias “/devtech2”
##